cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IAS as a proxy to Azure - specific customer requirements for Azure Conditional Access

Colt
Active Contributor

on ‎10-01-2020 9:37 AM

UPDATE (SOLVED)

Fortunately, SAP has delivered a solution for this - here is the documentation: Configure Different Trust Configurations for the Same Identity Authentication Tenant (Azure AD Apps)

Also check out this great blog: https://blogs.sap.com/2022/07/31/configure-different-trust-configurations-for-the-same-identity-auth...

In a nutshell, this significantly expands the use case of SAP Identity Authentication as a proxy towards AAD and allows including AAD security policies and further Conditional Access rules - if required for particular IAS applications (trusted Service Providers). That makes the proxy scenario even more attractive 🙂

____________________________________________________________

Hello together!

The following question requires some additional background information and context, so let's start.

Background

The corporate IT security department responsible for authentication, dictate to use Microsoft Azure Active Directory as the primary corporate identity provider to authenticate all users… and devices for all corporate web applications.

It is important to note that most SAP cloud applications will only trust SAP Identity Authentication (IAS) as their primary SAML identity provider, which means SAP Identity Authentication is mandatory to access SAP cloud applications. This way IAS is seen (and often used) as a central hub for the connected SAP applications.

But how to check for managed devices and use other security features that Azure provides when accessing SAP applications? Fortunately, there is an integration of the IAS as a proxy to Azure. The target is to provide single sign-on (SSO) between applications using Azure AD as an authenticating identity provider and applications using Identity Authentication as a proxy identity provider. Thereby all known security functions such as conditional access and MFA still can be used when accessing SAP applications.

In typical customer scenarios, a large number of service providers (so-called enterprise applications) may exist within the Azure Active Directory. Now a given tenant of the SAP Identity Authentication Service is one of them. It is significant to understand that from the perspective of Microsoft Azure Active Directory, the IAS is just one service provider. And this will become an important point to understand the challenge.

Once the Corporate IdP has been configured for a given application (some or all) there is another SAML AuthnRequest (example below) that is forwarded to the Azure destination.

<AuthnRequestAssertionConsumerServiceURL="https://<tenantID>.accounts.ondemand.com/saml2/idp/acs/<tenantID>.accounts.ondemand.com" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Destination="https://login.microsoftonline.com/bbffd6ff-54e5-498a-8632-xxxxxxxx/saml2"ID="Sxxxxx51-c451-4xxb-8xx0b-ffexxxxxx5" IssueInstant="2020-09-30T18:38:56.113Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns4="http://www.w3.org/2001/04/xmlenc#" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#"> <ns2:Issuer>https://<tenantID>.accounts.ondemand.com</ns2:Issuer> <NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/></AuthnRequest>

Azure AD uses the ID attribute (random) to populate the InResponseTo attribute of the returned response. The Issuer element in the AuthnRequest matches the App ID URI specified during application registration (Entity ID).

That makes it impossible for Azure to understand which of the many applications (SPs) maintained in IAS, are used. For Azure, it is just an authentication request from the issuer IAS. There is no information about the concrete SAP cloud or on-premises application that may require special authentication rules. What do you think, isn’t that an issue. For most organizations that must not be the case, for others it is.

Now you go ahead and set up SuccessFactors (here IAS is needed anyhow), some SCP Subaccounts, and some On-Premise S/4HANA systems to trust and use IAS as the IdP. Besides, the company has the requirement to separate between company managed devices (let us say using Microsoft Intune) or private devices (any other devices). Based on this, Azure should allow access according to the rules implemented via conditional access. Guidelines for conditional access are enforced after completion of the first-factor authentication, which is usually a successful login in Azure. Conditional access is therefore at the heart of the identity-driven control level. Such guidelines are like simple “if-then instructions”. If a user wants to access a resource, he has to fulfill certain conditions that relate to the device (that is required here), the IP-geolocation, the user, or his group memberships, the target application (important as well!!), and other factors. The actual access decision or the need for additional authentication (MFA) is then made based on this check.

The Requirement

The company needs to check the device status for any SAP application in use. Now they are faced with integrating access to SAP applications (on-premise or cloud) into this process. A question and requirement that came up yesterday during an SAP security workshop with a customer. He likes to restrict access to specific SAP cloud or on-premise applications and to allow private (non-managed) devices only for some target applications. Let us say access to SFSF should only work for users with managed company-devices, while access to a central SAP Fiori Launchpad should be possible from any device.


By default, most of the corporate applications require a managed device to pass the Azure doorman. Without knowing the respective application, how can such a configuration be implemented with SAP IAS in conjunction with Azure Conditional Access?

Questions and ideas

As of now, it seems to be impossible to set up another corporate identity provider in IAS pointing to the same Azure tenant and thus the same entity ID.

  • Is there a way in Azure to export federation metadata with a different entity ID per enterprise application?
  • Is there a way to populate the application name/ID towards Azure via the AuthnRequest?
  • Is there a way to configure multiple Corporate Identity Providers using the same Azure tenant and perhaps then map the applications one-to-one?

Let us say you could create in Azure one enterprise application for each IAS application that has individual conditional access rules and device requirements. Within the IAS application configuration, you select the corresponding default identity provider in each application. If Azure or IAS would allow that it would help to achieve the desired goal. Azure now would understand the specific target application.

Do you have any ideas on how to meet this requirement? And please don't come up with multiple Azure tenants or the likes, that isn’t a serious solution 🙂

BTW: here is a similar question: https://answers.sap.com/questions/628883/multiple-sso-applications-using-ias-as-proxy-to-aa.html

Suggestions and tips are always welcome!

If no solution can be found on this channel, we would communicate the whole thing to SAP with the support of the customer. Thank you!

Cheers Colt

Show replies
Show replies
former_member612251
Participant
‎10-17-2020 11:01 PM
0 Kudos

Carsten, this is great question! I have been battling with this issue as a whole for over a year now. SAP have yet to provide me with a concrete explanation as to why is it now mandatory to use IAS as the IDP for SAP cloud applications (the obvious reason if the answer of course ;)), this is then compounded with the issues of flexibility like you have explained above and in the link to other other question. I would be very interested to hear about the response from SAP on this when you hear back.

LutzR
Active Contributor
‎10-26-2020 2:23 PM

Hi Carsten,

my understanding:
The priority of SAP is to carve-out authentication functionality from their cloud products and delegate that to IAS tenants. They want to get rid of maintaining all the authentication options on their different cloud platforms.

They sacrifice the concept of one central IAS per company for this priority.

So the answer seems to me: use multiple IAS tenants for different authentication requirements. Since SAP gives away IAS tenants bundled to their cloud products for free, this should not be an issue financially.

From an architectural point of view this is may be less than beautiful, of course.

Regards, Lutz

lucasvaccaro
Product and Topic Expert
Product and Topic Expert
‎10-26-2020 8:10 PM
0 Kudos

Just to comment on Lutz's message, SAP gives 1 prod and 1 test tenant per customer, regardless of the number of products used. Additional tenants have to be purchased separately.

Colt
Active Contributor
‎10-27-2020 7:02 AM
0 Kudos

Hi Lutz and Lucas,

thank you for your answers. That is a possible workaround, yes 😉

Unless SAP is planning to integrate this as a feature or the customer is not actively promoting this, I would see it that way. Operation of an IAS tenant on which all SPs (applications) are created that should be accessible to external users. A second one for SPs that are only accessible for corporate devices.

Cheers Colt

Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

Colt
Active Contributor
‎01-27-2021 6:43 AM

Hello everybody!

I had promised to make an update here as soon as a potential solution was found. Fortunately, SAP has delivered a solution for this - here is the documentation: Configure Different Trust Configurations for the Same Identity Authentication Tenant (Azure AD Apps)

In a nutshell, this significantly expands the use case of SAP Identity Authentication as a proxy towards AAD and allows including AAD security policies and further Conditional Access rules - if required for particular IAS applications (trusted Service Providers). That makes the proxy scenario even more attractive 🙂

Cheers Colt

Show replies
Show replies
Martin-Pankraz
Active Contributor
‎04-18-2023 8:50 AM
0 Kudos

Hi colt,

This is a nice addition to the AAD + SAP Cloud Identity Services materials out there. Would like to make you aware of our best-practices guide here.

Let me know what you think.

KR

Martin

Show replies
Show replies
former_member60690
Explorer
‎11-02-2022 2:38 PM
0 Kudos

HI Carsten,

Thanks for info, very useful. I'm trying to do POC on similar topic with Azure AD conditional access policy. However we noticed, Azure AD does not recognise the Device ID [ blank] when the request send via IAS. This prevent enable some conditional access policies such as managed cooperate device vs unmanaged device policy.

Have to noticed similar issue and what can be the fix ?

Thanks in advance.

Show replies
Show replies
Colt
Active Contributor
‎11-02-2022 2:45 PM
0 Kudos

Hi Dinesh, haven't got a clue, in the best case first let you confirm from SAP support if the device id is really truncated in this scenario. Not sure if this is part of the SAML request, I don't think so.

Regards Carsten

Colt
Active Contributor
‎10-19-2020 4:24 PM
0 Kudos

Michael! Well, I support the concept of SAP and the introduction of SAP Identity Authentication. I also understand the added value and use of IAS as a central authentication hub.

Only in very specific scenarios as described in my post, however, SAP should make improvements, the integration of SAP IAS into Azure AD should be possible on an application-level not only "system-wide".

Colt

Show replies
Show replies
former_member612251
Participant
‎10-19-2020 7:57 PM
0 Kudos

Hi Colt,

I see the introduction of IAS as a positive also for certain scenarios. I am curious as to what benefits you have seen introducing IAS as a proxy at companies who are using Azure as their primary IDP? IAS offers a lot of bells and whistles, but so does Azure in my experience.

Colt
Active Contributor
‎10-25-2020 2:24 PM
0 Kudos

Hi Michael, for benefits check out this blog: https://www.xiting.us/sap-ias-in-proxy-mode-and-its-coexistence-with-azure-active-directory/

...lets see if we find others with similar issues

Cheers Colt

Ask a Question